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ABSTRACT : 

PROBLEM TO BE SOLVED: To automatically allocate an IPSec usable port to a volume desired for 
secured communication. 

SOLUTION: A management server manages presence of a security function possessed by a physical 
port. According to the information about this management, the server automatically decides to 
which physical port the volume is allocated after creation of the volume, and then, carries out 
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** See image for Certificate of Correction 

TITLE: Storage system with data-dependent security 

Detailed Description Text (33) : 

FIG. 4 shows a sequence 400 performed to allocate space in the storage 108 according to the 
invention. For ease of explanation, but without any limitation intended thereby, the example of 
FIG. 4 is described in the context of the environment described above in FIGS. 1-3. The 
sequence is initiated in step 402, when one of the application programs 110-112 issues a 
request to its respective host 102-104 to allocate storage space. The allocation request may 
specify relevant aspects of the allocation operation, such as the type of storage device to be 
used (if the storage 108 contains different storage modes), etc. Allocated storage "regions" 
may correspond to any convenient unit of granularity, such as a disk sector, disk track, disk 
"extent", volume, address range, block, tape track, file, dataset, etc. Storage regions may 
also have user-specified sizes, in which event this additional characteristic may be included 
in the allocation request. If desired, one or more storage regions may comprise subsets of a 
larger data structure, such as a database, file, storage group, dataset, etc; advantageously, 
this embodiment facilitates different levels of security for subsets of a larger data 
structure. 

Detailed Description Text (34) : 

In step 406, the application program 110-112 sets a desired level of security for the allocated 
storage . The types of security are also called "operation parameters", and in this example 
include (1) read and write prohibited, (2) write prohibited, and (3) no security, which may be 
a default value if no operation parameter is specified. With a read and write prohibited 
operation parameter, the controller 106 will prevent hosts from reading or writing the 
associated storage region unless the host presents a required access key. With a write 
prohibited region, as discussed in greater detail below, the controller 106 will prevent hosts 
from writing the storage region unless the host presents a required access key. Hosts may still 
read data from this storage region without presenting the associated access key. All hosts can 
freely read and write data from/to "no security" storage regions. 

Detailed Description Text (36) : 

After step 408, step 410 carries out the requested allocation operation. In step 412, the 
application 110-112 issues an allocation command to the host 102-104, commanding the host 102- 
104 to assign security and access key to a storage region of the appropriate size. In step 414, 
the host 102-104 assigns a storage region for the requesting application 110-112 and carries 
out the requested allocation by representing that storage- region's allocation in a storage map 
(not shown) . In addition, the host directs the controller 106 to associate the provided 
operation parameter ( security level ) and access key with the defined storage region. The host 
102-104 may provide its directions to the controller 106, for example, by issuing a set-access- 
key command, which specifically directs the controller 106 to associate the access key and 
operation parameter with the allocated storage region. 
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TITLE: Storage controller conditioning host access to stored data according to security key 
stored in host-inaccessible metadata 



Detailed Description Text (56) : 

The sequence is initiated in step 402, when one of the application programs 110-112 experiences 
conditions requiring allocation of storage . The condition causing step 402 may further dictate 
relevant aspects of the necessary allocation operation, such as (1) the type of storage device 
to be used in the allocation operation if the storage 108 contains different types of storage 
media, (2) the size of region to allocate, and (3) other pertinent aspects. Allocated storage 
regions may be expressed in terms of any convenient or appropriate unit of granularity, such as 
one or more disk sectors, disk tracks, disk "extents", logical volumes, address ranges, blocks, 
tape tracks, files, datasets, etc. Storage regions may also have user-specified sizes, in which 
event this additional characteristic may be included in the allocation request. If desired, one 
or more storage regions may comprise subsets of a larger data structure, such as a database, 
file, storage group, dataset, etc; advantageously, this embodiment may facilitate different 
levels of security for subsets of a larger data structure. 
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